New Release: Tor Browser 9.0.9

Tor Browser 9.0.9 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox to 68.7.0esr, NoScript to 11.0.23, and OpenSSL to 1.1.1f.

Also, this release features important security updates to Firefox.

The full changelog since Tor Browser 9.0.8 is:

  • All Platforms
    • Update Firefox to 68.7.0esr
    • Bump NoScript to 11.0.23
    • Bug 33630: Remove noisebridge01 default bridge
  •  Windows + OS X + Linux
    • Bug 33771: Update some existing licenses and add Libevent license
    • Bug 33723: Bump openssl version to 1.1.1f
  • Windows
Anonymous

April 10, 2020

Permalink

Javascript cannot be enabled temporarily via NoScript anymore as long as the Tor security level is on safest. Has already been the case with version 9.0.8. And it really sucks !! The same holds true for viewing PDFs ...

You can TEMPORARILY set "javascript.enabled" to "True" on "about:config" page. Then you allow javascript with NoScript.
Do not visit other sites while doing that, after you are done set "javascript.enabled" to "False"

But you could forget to turn it back to False, so maybe it's better to switch Security Level to lower to visit page where you want to enable javascript...

If it's worth doing all that, you're better off moving the slider to Safer, loading the page you want, and moving it back to Safest. If you mess with NoScript whitelists or about:config options it will give your browser a unique fingerprint.

Anonymous

April 11, 2020

Permalink

Hi. What is the difference between the .APKs that have "-qa" and the ones without '-qa' at the end? Thank you.

Anonymous

April 11, 2020

Permalink

youtube - just wanted to drop by and say this is now working normally again, no idea why since I havent any new updates. anyways I hope it stays this way.

instead I have now ran into something else, i sometimes use the (translate . com) and normally its able to translate full sentences but for some reason it only translate word by word now. not sure if this is related to the tor browser, however it did work properly before the 9.0.9 version. could you please check this up.

thanks in advance for all hard work guys, much appreciated.

I had time to do a brief investigation - TBB908 (clean installation) was also affected (as well as TBB909) so - it looks like an issue on Google-YouTube side ("probably" - as I did not test direct connection without Tor-network). Now YT works fine.

Anonymous

April 11, 2020

Permalink

STOP BLINDING US BY POPPING OUT A HUGE WHITE WINDOW WHILE CONNECTING TO TOR!!! GO BACK TO THE OLD WAY... FIRST YOU CONNECT TO TOR. THEN OPEN A NORMAL LOOKING PURPLE COLORED WINDOW.

TAKE WHITE WINDOW BACK!!!

Did you change Preferences and forget that you did? Main menu -> Preferences -> Home in side column -> Homepage and new windows -> About Tor is the default unless you changed it to Blank Page.

Anonymous

April 11, 2020

Permalink

When I am attempting to read this blog, it often happens that *all* my circuits share an exit node from the same large family of fast nodes. Could this be evidence that Tor users are once again under attack by a large family of fast nodes controlled by some "researcher" at an institution such as Carnegie Mellon's SEI?

Willing to name the family if it would help. I suspect others are seeing the same thing.

you can exclude nodes by editing torrc-file.
DataDirectory ...
EntryNodes yourchoice1,yourchoice2
ExcludeNodes {us},badnode1,badnode2,{??}
ExcludeExitNodes badnode3,badnode4,{??}
GeoIPFile ...
GeoIPv6File ...

Can you check if this also happens across different instances of the Tor client? Such as in different VMs or different physical devices, do they also share the same exit families?

Checked with a second device and I still see the same large family in most of my circuits. When I try to connect to several large US news sites, I have to hit the "new circuit for this site" button several times to avoid it.

This problem (I see it as a potential danger to anonymity and as suggesting a cybersecurity flaw somewhere in how the Tor network actually works, a possible flaw which may or may not be addressable by TP) has noticeably eased somewhat in the past few days, but I have been tracking it for some months and I keep seeing it flare up again the point where almost all my circuits have this family in the relay or exit nodes.

[Second attempt to reply]

Yes, I tried using another laptop, with the same results.

During my visit today I had to hit the "new circuit for this site" button three times to obtain a circuit which did not use this particular large family.

Anonymous

April 13, 2020

Permalink

After 9.0.9 was installed, my Norton Internet Security shows a warning message at startup that tor.exe does not have a valid digital signature. How do I solve that?

Anonymous

April 13, 2020

Permalink

Hello! Will we have builtin protection against "CSS Exfil Vulnerability" in TBB? Is it serious vulnerability? Should we use extra extension for fix?
Information:

"CSS Exfil Vulnerability Tester" - https://www.mike-gualtieri.com/css-exfil-vulnerability-tester
"URL" - https://github.com/mlgualtieri/CSS-Exfil-Protection

+ https://www.bleepingcomputer.com/news/security/css-code-can-be-abused-t…
+ https://github.com/jbtronics/CrookedStyleSheets
+ https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-…

(There are both Chrome and FF extensions - "CSS Exfil Protection" at Mozilla's and Google's stores)

It doesn't sound like the risk is any greater to Tor Browser users than regular Firefox users. If anything, less so, because TB is always in private browsing. As long as you're using basic hygiene, like restarting the browser between different activities and using only HTTPS, I don't see a significant risk. I wouldn't install the extension because it could give your browser a unique fingerprint. I imagine it'll be fixed in upstream Firefox soon, which will make its way to Tor Browser eventually.

Anonymous

April 14, 2020

Permalink

I have visited a .onion website and the icon in the browser was not a green onion, but a grey one and when I pressed it was writing "Insecure Connection".
Is possible a .onion site to come without encryption?
Platform:Android

> Is possible a .onion site to come without encryption?

No, it's not possible, but the browser isn't aware of Tor's encryption. It's just telling you the site doesn't use an HTTPS certificate, but onion sites are always encrypted by Tor itself, behind the browser's back.

> No, it's not possible, but the browser isn't aware of Tor's encryption.

Misleading. It is not possible for the onion's direct resources to come without encryption, but it is possible for the onion's webpage to contain subresources served over HTTP. Tor Browser is aware of onion services' 6-relay circuits and indicates those with an onion icon rather than a padlock icon. Tor Browser does not indicate 3-relay Tor encryption by an icon in the address bar but does indicate it if you click on the icon to view the circuit. Tor's 3-relay circuits are always used, so it is redundant and unnecessary to indicate those unless you modify Tor Browser to make it not use Tor.

> It's just telling you the site doesn't use an HTTPS certificate

Incorrect. According to the Support FAQ, a grey onion icon means the site is an onion service that either has a self-signed HTTPS certificate or serves subresources over HTTP.

> onion sites are always encrypted by Tor itself

Correct for an onion page's direct resources but misleading for subresources loaded by the page.

https://support.torproject.org/#onionservices
https://community.torproject.org/onion-services/overview/

Anonymous

April 14, 2020

Permalink

Since 9.09 tor-update, the DuckDuckGo website has lost the menu icon. Also the url: duckduckgo.com/settings has been stripped to virtually a blank page, so I can't load my settings any more.

I've now restored my 9.07 backup just in case the new tor version has done even more damage without my knowing. There seems to be some contoversial discussion about DDG and privacy on this page as well. What's up?

KaiOS is a fork of Firefox OS, not Android, and is based on Linux. Tor Browser is available for Linux desktop and Android. You could try to install the Android or Linux versions of Tor Browser, but they probably won't work.

Anonymous

April 14, 2020

Permalink

what is being done to prevent sites from blocking tor? too many sites are unusable with tor.

Nothing. That's not even a goal of the Tor Project. Except for trying to convince them to willingly unblock Tor, which is obviously the best solution but doesn't usually work.

Here are some tips for getting around certain kinds of blocks:
1. in the URL bar, type "web.archive.org/save/" before the real URL, so "web.archive.org/save/https://torproject.org/blog" for example. This works great for non-interactive sites and doesn't require JS.
2. Use startpage.com's web proxy button. Unfortunately this only works on search results.
3. Use the "cached" link in Google search results.
4. Use a glype web-proxy. These can be used on interactive sites, although a lot of sites break. Just search for glype proxy lists.
5. Build an SSH tunnel or TCP-based VPN tunnel through Tor. In theory, any site should work with this configuration, but I've never been able to make this kind of tunnel work reliably. It also requires a VPS or shell account or VPN account, which are usually not free.
6. Mozilla recently came out with a browser extension that is supposed to provide the functionality of a VPN. I don't know how it works, but I highly doubt it uses a real UDP-based VPN (though they offer that as well). Most likely it runs over an HTTPS proxy of some sort. Maybe it could work within Tor Browser to unblock sites. https://fpn.firefox.com/browser

Anonymous

April 15, 2020

Permalink

Why do I always get the message 'Something has gone wrong!' with a red screen on Tor Browser start?

This has been happening intermittently for the entire 9x series of Tor Browser. After I see the scary red screen, I then proceed to do a browser check at check.torproject.org and Tor is indeed working with the message, " Congratulations. This browser is configured to use Tor. "

Why does the browser report Tor is not working, but the Tor website reports that it is?

Might want to get those two departments synchronized at some point. Just a thought.

Hello! This is the known "red bug" - it is not related to 9x versions. Bug is quite old and "hardly" reproducible (and has workaround - just do restart TBB). Bug can be observed on Windows.

I strongly suggest to use firewall to be on the safe side (in early days - with ****no firewall*** AND ***when happened*** mentioned bug - TBB WAS ABLE TO DO DIRECT NETWORK CONNECTION IMHIDING YOUR IP ADDRESS!!! + I did not tested current state)
- so you have only ALLOW "tor.exe" as program that may do network activities throw firewall.

* netsh advfirewall set allprofiles state on
* netsh advfirewall set allprofiles state off

* netsh advfirewall firewall add rule name="MYTOR" dir=out action=allow program="C:\*****\Tor Browser\Browser\TorBrowser\Tor\tor.exe" description="MYTOR" enable=yes profile=any localip=any remoteip=any interfacetype=any protocol=tcp
* netsh advfirewall firewall delete rule name="MYTOR"

Anonymous

April 16, 2020

Permalink

When I am visit that blog page with cookies enable,the page is reloading constantly, so i cat browse.
I have to disable cookies to work.
This happens on android, with TOR browser.